search

pkp / pkp-lib

The library used by PKP's applications OJS, OMP and OPS, open source software for scholarly publishing.
https://pkp.sfu.ca
GNU General Public License v3.0
304 stars 444 forks source link

OJS 3.2 and 3.3: multi-domain, multi-journal installation: journals with custom domain not editable from central Administration menu #7163

Open janpieterk opened 3 years ago

janpieterk commented 3 years ago

OJS installation (3.2.1.1 or 3.3.0.7) with the base_url set to maindomain.tld and journals both on maindomain.tld/path and customdomain.tld. Editing journal on domain customdomain.tld from central Administration menu does not work.

To Reproduce Steps to reproduce the behavior:

  1. login as admin in maindomain.tld
  2. login as admin in customdomain.tld
  3. go to “Administration” in the left sidebar. This is always hosted from maindomain.tld
  4. go to “Hosted Journals”
  5. click on “Edit” for journal abc (which uses customdomain.tld)
  6. click “Save”
  7. This fires OPTIONS and PUT requests to customdomain.tld
  8. observe HTTP 403 with response body {"error":"form.csrfInvalid","errorMessage":"The form could not be submitted. You may have been logged out. Please reload the page and try again."}

Note that all CORS-headers are correctly sent! See Apache config below. There are no complaints about missing or duplicate Access-Control-Allow-Origin headers or the like.

I dived into the OJS code and found this in lib/pkp/classes/security/authorization/internal/ApiCsrfMiddleware.inc.php:

$session = Application::get()->getRequest()->getSession();
return $session && $session->getCSRFToken() === $server['HTTP_X_CSRF_TOKEN'];

And this seems to be the source of the 403. It turns out that the HTTP_X_CSRF_TOKEN which is sent from maindomain.tld is different from the $session->getCSRFToken() which belongs to the login session of customdomain.tld.

This leads me to believe that using the Administration menu (which is always from maindomain.tld) will never work for journals which use a custom domain.

Does this look correct, or am I missing something?

What application are you using? OJS 3.2.1.1 OJS 3.3.0.7

Additional information

Configuration:

config.inc.php:

base_url = "https://maindomain.tld"
base_url[index] = https://maindomain.tld/index
base_url[abc] = https://customdomain.tld
base_url[def] = https://maindomain.tld/def
restful_urls = On

Apache configuration, maindomain.tld.conf:

RewriteEngine On
RewriteBase /
RewriteRule ^api/v1(.*)$ /index.php/api/v1$1 [L,R=307]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /index.php/$1 [QSA,L]

Apache configuration, customdomain.tld.conf

Header unset Access-Control-Allow-Origin
Header unset Access-Control-Allow-Headers
Header unset Access-Control-Allow-Methods
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Headers "Content-Type, X-Csrf-Token, X-Http-Method-Override"
Header always  set Access-Control-Allow-Methods "HEAD, POST, GET, OPTIONS, PUT, DELETE"
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} !OPTIONS
RewriteRule ^api/v1(.*)$ /index.php/abc/api/v1$1 [L,R=307]
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [L,R=200]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /index.php/abc/$1 [QSA,L]

Possibly related issues: https://github.com/pkp/pkp-lib/issues/5972 https://github.com/pkp/pkp-lib/issues/4595

NateWr commented 3 years ago

Thanks for reporting, @janpieterk. I'm going to call on some help from @ajnyga or @ctgraham. I think both of you run journals on custom domains. Are you able to reproduce this issue?

janpieterk commented 3 years ago

OJS 3.3.0.7 has the same problem, updated the issue to reflect this.

ajnyga commented 3 years ago

I wonder if https://github.com/pkp/pkp-lib/issues/4595 related?

Edit: oh, it seems it was already mentioned above...

ajnyga commented 3 years ago

I only have a setup for subdomains. I solved 4595 by hardcoding the domain to the cookie (session.cookie_domain) and it fixed the problem described there.

I actually have not set base_url[index] at all in the config. I remember having problems with that setting back in 3.0 and it has remained empty since then in our case. I only have the individual journal base_url's set.

solehhasan commented 3 years ago

I have the same problem; I just upgraded to OJS 3.3.7, because of the error display, I restore backup ojs 3.2.1, but when setting "site-setting" in the administrator section I have to choose two languages, otherwise, it can't be saved

janpieterk commented 3 years ago

I actually have not set base_url[index] at all in the config. I remember having problems with that setting back in 3.0 and it has remained empty since then in our case. I only have the individual journal base_url's set.

Setting base_url[index] was the solution for the "Administration" menu resulting in a 404 when trying to access it from the backend of a journal with a custom domain (note: not a subdomain, a separate domain).

Without base_url[index], "Administration" points to https://customdomain.tld/index/admin, which does not exist. With base_url[index], "Administration" points to the correct URL https://maindomain.tld/index/admin.

ajnyga commented 3 years ago

Yeah my installation is not helpful here since we only have subdomains and have not tested an upgrade to 3.3. yet

jnugent commented 2 years ago

If it helps I can duplicate this bug right now in 3.3.0.10 with an installation we have. Let me know how I can help.

janpieterk commented 2 years ago

@jnugent At least it's helpful to know that this issue still exists in 3.3.0.10.

marlara commented 2 years ago

Still exists in 3.3.0.11

BobbiSixkiller commented 1 year ago

Still exists in 3.3.0.14

BobbiSixkiller commented 1 year ago

Still exists in 3.3.0.14